AWS
How to scan and encrypt objects in S3 buckets
This article explains how to scan objects in S3 buckets against malware and keep your objects encrypted with SSE-KMS
With the accelerated shift to the cloud, companies are tasked with securing troves of data to maintain compliance, reputation, and meet business needs. It is up to developers to build the necessary cloud applications that can process and store various file types and sizes.
Since many applications integrate AWS S3 into their architectures for file record requirements, organizations are concerned that the files uploaded could contain malicious content and disrupt downstream workflows and business process throughout the organization.
Part of ensuring these applications can properly secure data and reduce the risk of it being stolen is by making sure that objects in Amazon Simple Storage Service (Amazon S3) buckets are encrypted. That way, even if the cybercriminal collects the data, they won’t be able to do anything malicious with it. Think of it like someone stealing a safe that has been secured by a designated lock key, without taking the key that is specifically meant to unlock it. Yes, it sucks that the safe was stolen, but without the key needed to unlock the safe, at least they can’t access any of the high-value information.
So, how can you go about integrating proper file storage security into your applications to meet business needs? Trend Micro Cloud One™ – File Storage Security now supports Server Side Encryption (SSE) in the Amazon Web Services (AWS) Key Management System (KMS). This allows you to use all the benefits of File Storage Security malware detection, with AWS-managed keys for safe encryption of your Amazon S3 objects.
9 Ways AWS S3 File Storage Security Helps DevOps Teams
You know you need security to not only improve the quality of your applications but make your entire organization happy. With File Storage Security, you can appease everyone, from CISOs to SecOps, to Cloud Engineers, while building with maximize confidence. That’s the dream, right?
Here’s a breakdown of features that will make your life easier:
- Simple deployment as an AWS CloudFormation template
- Includes AWS Lambda functions as part of its event-driven architecture
- Seamless integration into your cloud-native infrastructure
- Customization of the service that fits into your CI/CD pipeline
- Customizable post-scan actions to alert upstream or downstream users across your workflows
- Automated scanning and remediation of malicious files at source in near real time
- Keeps your files and data within your AWS account for optimum compliance
- Ability to quarantine risky files within another location in the account that is away from your application
- Part of the Trend Micro Cloud One™ platform. See why platform security solutions are ideal for developers
How File Storage Security Works with S3 Buckets
In this demo, we will be using the free trial of Trend Micro Cloud One - File Storage Security. File Storage Security helps ensure your Amazon® Simple Storage Service (Amazon S3) buckets are free from malware by deploying cloud-native security that can be integrated into your custom Amazon S3 workflows.
Once you’ve created your free trial account, you’ll see the Trend Micro Cloud One™ dashboard with several solutions. File Storage Solution is one of seven solutions that make up Trend Micro Cloud One, a SaaS-based security services platform that simplifies your security strategy with enhanced cloud security across your entire infrastructure.
To enable SSE encryption, follow these steps:
- Go to your File Storage Security console and select Deploy.
- Select Scanner Stack and Storage Stack to deploy the all-in-one stack
- In the Deploy Scanner Stack and Storage Stack dialog make sure you’re signed into your AWS account and select the region that matches the region of your Amazon Simple Storage Services (Amazon S3) bucket (double check it is supported by File Storage Security here). You can select Review Stack to view before launching it. Once you’re ready, select Launch Stack.
- Now you’re in the AWS Quick create stack page. Fill it out like this:
- Stack name
- S3BucketToScan
- KMSKeyARNForBucketSSEE—enter the ARN of the KMS master key used to encrypt the Amazon S3 bucket objects
- There are some other optional boxes, but the above is most important. Leave everything else as is, and then click Create stack.
- Wait while the stacks are installed. This could take several minutes, but you’ll be notified by three CREATE_COMPLETE messages when installation is complete for the File Storage Security stacks.
Now you’re well on your way to improved data storage security via SSE-KMS encryption and File Storage Security. See how to go all the way and generate your own scan here.
Alternatively, building your own file-scanning security systems from scratch can be initiated with good intentions, however over time it can they can become difficult and expensive for a team to operate, lead to narrow functionality, and have limited ease of use. In addition, you must also rely on open source malware lists that may be outdated, meaning you may not benefit from the additional deep rich day to day research that cyber security organizations have entire teams working on to curate and test for risks from multiple sources of research, and up to date risks including zero days.
You need a solution that is purpose-built for easy integration into cloud native application development and runtime workflows. This means you can leverage cloud native services that are easy to maintain, and require minimum effort to support, allowing you to build at lightning speed without security concerns holding you back.
Conclusion: Organizations need modern and scalable cloud native security that can help them meet compliance requirements and protect their cloud ecosystem. File Storage Security provides seamless integration into your AWS S3 workflows with automated malware scanning remediation and proper encryption of sensitive data with SSE-KMS provided by AWS. All of this allows you to meet business needs, make SecOps happy, improve your application quality, reduce post-deployment stress, and help achieve compliance for your organization.
Start building better without pesky security interruptions by signing up for a free 30-day Trend Micro Cloud One trial to gain access to File Storage Security and more.
Want to learn more? Explore how to leverage Amazon S3 Malware Scanning using Trend Micro Cloud One and AWS Security Hub.